Published: October 22, 2025

12 min read

CbCR Risk Assessment: How Tax Authorities Analyze CbC Reports (2025)

Borys Ulanenko

CEO of ArmsLength AI

TL;DR - Key Takeaways

Treat CbCR as a risk-scoring dataset: expect automated ratio tests (profit/employee, profit/assets, ETR) and year-over-year trend flags.
If your group meets the €750m threshold (based on consolidated revenue in the immediately preceding fiscal year), run a pre-filing CbCR risk assessment that mirrors tax authority dashboards—before you file.
Use Table 3 to explain predictable outliers (low ETR, one-offs, restructurings, data sources/FX) and reduce “unexplained anomaly” risk.
Misalignment between CbCR, the Master File, and Local Files is a common driver of follow-up questions and issue selection; Pillar Two transitional safe harbours make CbCR data quality and explainability even more operationally important.

Sources

Stay updated with our newsletter

Get the latest transfer pricing insights, AI benchmarking tips, and industry updates delivered straight to your inbox.

Published: October 22, 2025

12 min read

CbCR Risk Assessment: How Tax Authorities Analyze CbC Reports (2025)

Borys Ulanenko

CEO of ArmsLength AI

TL;DR - Key Takeaways

Treat CbCR as a risk-scoring dataset: expect automated ratio tests (profit/employee, profit/assets, ETR) and year-over-year trend flags.
If your group meets the €750m threshold (based on consolidated revenue in the immediately preceding fiscal year), run a pre-filing CbCR risk assessment that mirrors tax authority dashboards—before you file.
Use Table 3 to explain predictable outliers (low ETR, one-offs, restructurings, data sources/FX) and reduce “unexplained anomaly” risk.
Misalignment between CbCR, the Master File, and Local Files is a common driver of follow-up questions and issue selection; Pillar Two transitional safe harbours make CbCR data quality and explainability even more operationally important.

Quick Answer: CbCR Risk Assessment

CbCR risk assessment is how tax authorities use Country-by-Country Reporting data to score transfer pricing and BEPS risk, select cases, and plan targeted enquiries—ahead of any transaction-level review. In practice, authorities compute ratio outliers (e.g., profit per employee, profit per tangible assets, effective tax rate) and then corroborate signals using the Master File, Local Files, tax returns, and other datasets. Under OECD “appropriate use,” CbCR should not be used to make formulary adjustments or as conclusive evidence of arm’s length outcomes (OECD Action 13 (2015) ¶25, ¶59). The most effective taxpayer response is a repeatable pre-filing self-assessment plus a disciplined Table 3 narrative that explains predictable anomalies and data-source choices.

Terminology note (ETR): in CbCR analytics, “ETR” is commonly computed using Income Tax Accrued – Current Year divided by Profit (Loss) before Income Tax (a current-tax proxy). This is different from “ETR” in Pillar Two transitional safe harbour calculations, which uses Simplified Covered Taxes derived from Qualified Financial Statements (OECD (2022) Safe Harbours and Penalty Relief).

Key Takeaways

→CbCR is designed for high-level risk screening—expect automated analytics, not manual “reading” first.

→Unexplained outliers (low ETR + mobile activities, profit with few employees/assets, persistent losses in markets) drive audit selection.

→Table 3 is your primary tool to pre-empt misinterpretation—keep explanations brief, specific, and consistent with TP files.

→Data quality failures (entity lists, currency/FX, inconsistent Tables 1–2) can trigger correction requests and credibility issues.

What tax authorities can (and cannot) do with CbCR data

Tax authorities receive CbC reports to get a jurisdiction-by-jurisdiction picture of where a group reports revenue, profit, tax, and proxies for real activity (employees and tangible assets). That makes CbCR unusually “algorithm-friendly”: it’s standardized, repeatable year-over-year, and comparable across large populations.

Scope and thresholds vary by regime. The OECD standard uses a consolidated revenue threshold of €750 million (or a near equivalent in domestic currency) based on the immediately preceding fiscal year (OECD Action 13 (2015)). In the EU, DAC4 applies to MNE groups with consolidated revenue ≥ €750 million and an EU presence (European Commission — DAC4). In the US, CbCR is filed on Form 8975 using a $850 million preceding-period revenue threshold (IRS Form 8975 / Treas. Reg. §1.6038-4).

“Appropriate use” is the legal and practical boundary

The OECD standard is explicit: CbCR supports high-level transfer pricing risk assessment, other BEPS-related risk assessment, and (where appropriate) economic/statistical analysis—but it is not a substitute for a detailed TP analysis and should not be used to make income adjustments via a formula (OECD Action 13 (2015) ¶25, ¶59).

For taxpayers, “appropriate use” matters even when your local audit team is careful: CbCR is exchanged across jurisdictions. A single unexplained anomaly can trigger multi-country questions, coordinated issue selection, or a “please reconcile” request chain.

What this means in day-to-day risk assessment

Even though authorities shouldn’t assess arm’s length pricing directly from CbCR, they can (and do):

Score and rank groups and jurisdictions for audit selection
Form risk hypotheses (e.g., profit concentration, mischaracterized limited-risk entities)
Launch targeted information requests (segmented P&Ls, intercompany agreements, DEMPE evidence, financing terms)
Cross-check CbCR signals against other data (statutory accounts, tax returns, customs/VAT, rulings/APAs), as described in the OECD risk assessment handbook (OECD (2017) CbCR Handbook).

What’s inside a CbC report (Tables 1–3) and why it drives analytics

If you want to manage cbcr risk assessment outcomes, start with what the dataset actually contains.

Table 1: the ratios come from these fields

Table 1 aggregates, by tax jurisdiction: total revenue (split related/unrelated), profit (loss) before income tax, income tax paid (cash), income tax accrued (current year), stated capital, accumulated earnings (often referred to internally as “retained earnings”), number of employees, and tangible assets other than cash (OECD Action 13 (2015), CbCR template).

Table 2: entity inventory + business activities

Table 2 lists the constituent entities in each jurisdiction and their main business activities. This is where authorities check whether the story “fits” (e.g., an IP holding entity vs. a full-function operating hub).

Table 3: your risk narrative lever

Table 3 (“Additional Information”) exists to provide brief information or explanation that is necessary—or that would facilitate understanding—of the compulsory information in Tables 1 and 2 (OECD Action 13 (2015), CbCR template; OECD (2017) CbCR Handbook). In a ratio-driven world, Table 3 is often the difference between a flagged outlier that is explainable and a flagged outlier that becomes an audit plan.

Treat Table 3 as a controlled “variance explanation” schedule: explain only what a reasonable analyst would need to avoid a wrong inference, and point to where the detailed support sits (Master File/Local File/workpapers).

How tax authorities analyze CbCR data: a typical workflow

The OECD’s handbook and tax administration practice (including the OECD “common errors” note) point to a fairly consistent process (OECD (2017) CbCR Handbook; OECD (May 2025) Common errors).

Stage	What happens	Why it matters to you
1) Ingestion & schema validation	XML/schema checks; technical rejects or flags	Technical failures can delay filing acceptance and trigger follow-up
2) Data quality checks	Completeness, jurisdiction/entity consistency, currency logic, unusual placeholders	“Bad data” is itself a risk indicator and can undermine credibility
3) Automated scoring	Ratio dashboards, trend flags, peer comparisons where available	Most issue selection is driven here
4) Qualitative overlay	Review Table 2 activities + Table 3 explanations	Good Table 3 notes can de-escalate outliers
5) Corroboration	Compare against TP files, returns, accounts, customs/VAT, WHT	Misalignment drives enquiries
6) Case selection & audit planning	Pick jurisdictions/issues; draft questions; coordinate where needed	You’ll see targeted, ratio-led questionnaires

A common taxpayer mistake is assuming “nobody reads CbCR.” In reality, CbCR is often machine-scored first and read only when the score (or a specific ratio) crosses an internal threshold.

Core CbCR risk indicators (and how they’re computed)

Tax authorities generally compute indicators directly from Table 1. The OECD handbook describes these as risk indicators, not conclusions (OECD (2017) CbCR Handbook).

The most common ratios you should pre-compute

Use the same basic formulas a tax authority will use:

text

Profit per employee = Profit (Loss) before income tax / Number of employees
Profit per tangible assets = Profit (Loss) before income tax / Tangible assets (non-cash)

ETR (CbCR current-tax proxy) = Income tax accrued (current year) / Profit (Loss) before income tax
Cash-tax ratio (often reviewed alongside ETR) = Income tax paid (cash basis) / Profit (Loss) before income tax

Related-party revenue share = Related-party revenue / Total revenue
Profit margin = Profit (Loss) before income tax / Total revenue
Pre-tax return on equity = Profit (Loss) before income tax / (Stated capital + Accumulated earnings)

“Two ETRs” that often get mixed up

CbCR current-tax ETR (risk-screening ratio): Income Tax Accrued – Current Year / PBT. “Income Tax Accrued – Current Year” is current tax expense and “should not include deferred taxes or provisions for uncertain tax liabilities” (OECD Action 13 (2015), template instructions).
Pillar Two transitional safe harbour Simplified ETR: Simplified Covered Taxes (from Qualified Financial Statements) / PBT (from the Qualified CbC Report) (OECD (2022) Safe Harbours and Penalty Relief).

Indicator	Typical “why it flags risk”	Common legitimate explanations (should be in Table 3 or TP files)
Profit per employee	High profit with low headcount suggests profit concentration vs. substance	Automation, high-value intangibles with real DEMPE, central entrepreneur with controlled outsourcing
Profit per tangible assets	High return on tangibles suggests intangible-driven profit in low-tax locations	IP ownership + DEMPE, contract manufacturing vs. principal model, measurement differences for tangible assets
Low ETR (CbCR current-tax proxy)	Potential low-tax profit parking, incentives, mismatched tax bases	Tax holidays/patent box, loss utilization, tax credits, exempt income under local law, statutory rate differences, one-off current-year items that affect taxable profit vs accounting PBT (document what it is and why it recurs/doesn’t)
Tax paid materially below tax accrued (over time)	Potential cash-tax leakage, disputes, or timing patterns that merit follow-up	Loss carryforwards affecting cash tax, withholding tax mechanics, refunds/offsets, settled/unsettled disputes, payment timing differences (OECD (2017) CbCR Handbook)
High related-party revenue share	Signals hub entities, principal models, financing centers	Centralized procurement, centralized IP licensing, genuine service center with cost-plus
Persistent losses in market jurisdictions	Mismatch with “routine distributor/manufacturer” characterization	Start-up/exit, market disruption, one-off write-downs, deliberate market investment supported by comparables
Sudden year-over-year shifts	Profit movement without people/assets movement suggests restructuring or pricing change	Post-merger integration, transfer of intangibles, supply chain changes, exceptional items

Interpret ratios like an auditor (but document like a taxpayer)

Authorities tend to combine indicators. A low ETR alone may not be enough. A low ETR plus:

mobile activities (IP holding, intra-group financing, procurement hubs),
high related-party revenue,
and very high profit per employee,

is a classic “stacked” risk case in the OECD examples (OECD (2017) CbCR Handbook).

What triggers CbCR-based audit selection (the patterns that recur)

CbCR audit triggers are rarely a single number. They’re patterns that look inconsistent with a value chain story.

Trigger patterns seen most often

Profit clustering in low-tax jurisdictions with minimal employees/tangibles (profit/substance misalignment)
Low ETR jurisdictions that also show mobile income characteristics (royalties, financing, service hubs inferred via Table 2)
Large-market jurisdictions with persistent losses or very low margins inconsistent with “routine” profiles
Sudden shifts in profit, headcount, or tangible assets without a clear business event
High related-party revenue concentrations that appear inconsistent with local functions
Internal inconsistency across Tables 1 and 2 (missing entities, wrong jurisdictions) or obvious data anomalies (OECD (May 2025) Common errors)
Misalignment with Master File/Local Files (CbCR says profit is in A; Master File says DEMPE/value creation is in B) — often a driver of follow-up questions and targeted enquiries (OECD (2017) CbCR Handbook)

The risk event is often not the structure—it’s the gap between (1) where CbCR shows profit, (2) where the Master File says value is created, and (3) how Local Files support the tested party outcomes.

How to run a pre-filing CbCR risk assessment (a repeatable playbook)

A practical cbcr risk assessment process should be repeatable, evidence-based, and timed before filing—so you can correct errors, adjust Table 3 explanations, and ensure documentation alignment.

Step 1: Validate data quality before you analyze ratios

The OECD’s 2025 note emphasizes that many administrations run automated validations and may request corrections (OECD (May 2025) Common errors). Build these checks into your close process:

Table 1 totals reconcile to your chosen source (consolidation/statutory/management) per your CbCR methodology
Single currency and consistent FX approach (document it)
Table 2 entity list completeness (entities, jurisdictions, permanent establishments where relevant)
Reasonableness checks (e.g., negative tangible assets, headcount missing in operating jurisdictions)

Action 13’s template instructions also expect you to describe data sources and state the exchange rate approach in Table 3 / “Additional Information” (OECD Action 13 (2015), template instructions).

Step 2: Compute authority-style dashboards (by jurisdiction and trend)

At minimum, compute:

Profit per employee
Profit per tangible assets
ETR (accrued tax / PBT, with guardrails for losses/near-zero profits)
Related-party revenue share
Year-over-year deltas for PBT, revenue, employees, tangible assets

Then segment jurisdictions into:

Expected (within historical band)
Explainable outliers (need Table 3)
Structural mismatches (need TP file refresh or policy change)

Step 3: Write the “risk hypothesis” before the tax authority does

For each explainable outlier, draft:

what a tax authority might infer, and
the concise explanation + where support exists.

This becomes your Table 3 content and your internal “audit-ready” memo.

Decision Criteria

Use Table 3 when an outlier is predictable, recurring, and explainable (e.g., tax holiday, restructuring, start-up losses).

Escalate to TP policy review when the CbCR pattern contradicts your functional characterization (e.g., “limited-risk” entity with sustained losses).

Fix the data (don’t explain it) when the outlier is caused by currency, mapping, entity list errors, or inconsistent source systems.

Align documentation when CbCR, Master File, and Local Files tell different stories about where value is created and who controls key risks.

Using Table 3 strategically: what to include (and how to keep it defensible)

Table 3 is not a dumping ground. It is a short, structured explanation designed to prevent misinterpretation (OECD (2017) CbCR Handbook; OECD Action 13 (2015), CbCR template).

A Table 3 structure that works in practice

Include short bullets under clear headings:

Data sources & methodology
- Source used (consolidation vs statutory vs management)
- Currency and FX translation method (and exchange rate used)
- Treatment of dividends, equity-method income (if relevant to your approach)
Material one-offs by jurisdiction
- Restructuring charges, impairments, litigation settlements
- M&A integration costs or exceptional income items
ETR drivers (for the CbCR current-tax proxy)
- Tax holidays/incentives, loss utilization, tax credits, tax-exempt items under local law
- Any material difference between accounting PBT and taxable base that explains the current-year tax expense pattern
Business model explanations
- Principal vs. limited-risk model
- IP ownership/DEMPE location at a high level (without reproducing the Master File)

What to avoid

Overly legalistic arguments (CbCR is a high-level form)
Assertions that can’t be supported in TP documentation
New facts that contradict your Master File/Local Files

If Table 3 contains a “new story” that is not reflected in your Master File/Local Files, you may convert a ratio anomaly into a credibility problem.

Align CbCR with Master File / Local Files—and plan for Pillar Two overlap

CbCR is aggregated; Master File and Local Files are narrative + transactional. Authorities use CbCR to decide where to look, then use TP documentation to decide what to challenge.

Practical alignment checks

Does the Master File value chain (including DEMPE, key risks, and central functions) explain why profits sit where they sit?
Do Local Files support routine outcomes (e.g., cost-plus/service center, distributor margins) in jurisdictions that show significant revenue and employees?
Are restructuring events visible consistently across CbCR trends and documentation narratives?

Pillar Two makes CbCR data quality more sensitive

Pillar Two transitional safe harbours are explicitly designed to reduce compliance burden by allowing groups to use Qualified CbC Reports and Qualified Financial Statements as the basis for a safe-harbour conclusion (OECD (2022) Safe Harbours and Penalty Relief). Even if your Pillar Two computation is “separate,” the operational reality is: the same teams and systems often feed both.

Transitional CbCR Safe Harbour (what matters operationally in 2025)

Timeline: applies to fiscal years beginning on or before 31 Dec 2026, but not including a fiscal year ending after 30 Jun 2028 (for calendar-year groups, this typically means FY 2024–2026) (OECD (2022) Safe Harbours and Penalty Relief).
Three tests: (1) de minimis, (2) Simplified ETR vs a transition rate, (3) routine profits (OECD (2022) Safe Harbours and Penalty Relief).
Transition rates (Simplified ETR test): 15% (FY beginning 2023/2024), 16% (FY beginning 2025), 17% (FY beginning 2026) (OECD (2022) Safe Harbours and Penalty Relief).
“Once out, always out”: if you don’t apply the transitional safe harbour for a jurisdiction in a year when you’re subject to the GloBE rules, you generally can’t use it for that jurisdiction in a later year (subject to limited exceptions) (OECD (2022) Safe Harbours and Penalty Relief).
Don’t mix ETRs: the safe harbour uses Simplified Covered Taxes from Qualified Financial Statements (not CbCR “tax accrued” alone) (OECD (2022) Safe Harbours and Penalty Relief).

Pillar Two guidance and administration are evolving. Operationally, treat your CbCR governance as “shared infrastructure” for Pillar Two: data lineage, FX methodology, sign-offs, and a controlled variance narrative.

Practical examples (with numbers): what gets flagged and how to respond

Example 1: “High profit / low substance / low ETR” hub (classic CbCR flag)

Facts (Table 1 extract):

Jurisdiction	Unrelated rev	Related rev	Total rev	PBT	Tax accrued	Employees	Tangible assets
Country H (holding/IP)	5	995	1,000	600	6	10	20
Country M (market)	1,500	50	1,550	40	10	1,000	300

What the authority computes (and why it spikes risk):

text

Country H profit per employee = 600 / 10 = 60.0
Country H profit per tangible assets = 600 / 20 = 30.0
Country H ETR (current-tax proxy) = 6 / 600 = 1.0%
Country H related-party revenue share = 995 / 1,000 = 99.5%

This combination (very high profit/substance ratios + very low ETR + heavy related-party revenue) is a textbook hypothesis generator under the OECD handbook approach (OECD (2017) CbCR Handbook).

Pre-filing response (what to do before you file):

Confirm whether Country H’s profit reflects:
- genuine DEMPE control and decision-making in Country H, or
- contractual ownership with DEMPE elsewhere (which will be challenged if misaligned).
Identify the precise current-tax ETR driver (e.g., incentive regime, loss utilization, tax credits, exempt income).

Table 3 response (what to say, briefly):

“Country H results reflect centralized IP licensing and group financing; headcount is low due to controlled outsourcing/central governance; key decision-makers are located in [jurisdiction].”
“Low current-tax ETR primarily reflects [tax holiday/patent box/tax credits] applicable to qualifying income; ‘Income Tax Accrued – Current Year’ reflects current-year tax expense under local rules.”
“CbCR prepared from [consolidation/statutory] data; FX method: [method].”

Example 2: Persistent losses in a large market distributor (routine-profile mismatch)

Facts (two-year trend):

Jurisdiction	Total rev (2024)	PBT (2024)	Tax accrued (2024)	Employees	Total rev (2025)	PBT (2025)
Country D (distribution)	900	-25	0	250	1,050	-30

Key signal:

text

2025 profit margin = -30 / 1,050 = -2.86%

If the Master File describes Country D as a limited-risk/routine distributor, persistent losses create a natural audit question: why is a routine distributor bearing sustained losses? (OECD (2017) CbCR Handbook).

Pre-filing decision: explainable vs. pricing issue

Explainable (document and disclose briefly): one-off restructuring costs, exceptional write-downs, extraordinary market disruption, start-up/exit phase.
Pricing issue (fix policy or true-up): if comparable routine distributors would earn a positive return over the cycle and there’s no credible basis for sustained losses.

Table 3 response (example):

“Country D losses reflect [inventory write-down / restructuring] of [amount] recorded locally in 2025; underlying operating margin before exceptional items is [x%]. Detailed support in Local File Country D, Section [x].”

Common pitfalls and the controls that reduce CbCR risk

Common Pitfalls to Avoid

1Explaining ratio outliers that are actually data problems (currency, mapping, entity list gaps) instead of fixing the underlying numbers.

2Leaving low ETR jurisdictions unexplained, especially when Table 2 shows mobile activities (IP holding, financing, central services).

3Allowing CbCR, Master File, and Local Files to drift into inconsistent narratives after reorganizations or TP policy changes.

4Underestimating Table 2 completeness—missing or misclassified entities can trigger correction requests and credibility issues.

5Treating Table 3 as an afterthought rather than a controlled variance explanation.

A simple control map (who should sign off on what)

Risk area	Control	Owner
Entity completeness (Table 2)	Legal entity inventory reconciliation; PE review	Tax + Legal
FX/currency consistency	Documented FX methodology; automated variance checks	Consolidation + Tax
Ratio outliers	Jurisdiction dashboard + explanation memo	TP team
Documentation alignment	Annual “CbCR ↔ Master ↔ Local” consistency review	TP lead
Filing readiness	Pre-submission XML/schema validation and peer review	Compliance

Hub: /blog/pillar-two-cbcr-guide (how CbCR and Pillar Two workflows interact)
Related guide: /blog/cbcr-preparation-guide (end-to-end filing process and data collection)
Documentation hub: /blog/transfer-pricing-documentation-guide (Master File/Local File governance)
Benchmarking: /blog/benchmarking-study-guide (how to support routine returns and loss positions)
Glossary: /glossary/country-by-country-report

FAQ: CbCR risk assessment

What is CbCR risk assessment?

CbCR risk assessment is a high-level screening process where tax authorities use CbC report data to identify transfer pricing and BEPS risk indicators and prioritize cases for enquiry or audit (OECD Action 13 (2015) ¶25).

Can tax authorities make transfer pricing adjustments based only on CbCR?

Under OECD “appropriate use,” they should not use CbCR as conclusive evidence or apply formulary allocation adjustments based on CbCR data (OECD Action 13 (2015) ¶59).

What are the most common CbCR risk indicators?

Common indicators include profit per employee, profit per tangible assets, low ETR (as a current-tax proxy), high related-party revenue share, persistent losses in market jurisdictions, unexplained year-over-year shifts, and mismatches between income tax paid and income tax accrued patterns (OECD (2017) CbCR Handbook).

How do tax authorities validate CbCR data quality?

Many administrations perform automated schema and logic checks at filing and additional validations before/after exchange; material errors can lead to correction requests (OECD (May 2025) Common errors).

How should we use Table 3 in the CbC report?

Use Table 3 to provide brief, specific explanations needed to understand Tables 1–2—especially for predictable outliers (low current-tax ETR, one-offs, restructurings) and to describe key methodology choices such as data sources and FX approach (OECD Action 13 (2015), CbCR template; OECD (2017) CbCR Handbook).

What typically triggers CbCR-based audit selection?

Triggers usually involve combinations of outliers (profit/substance, low ETR), mobile activities inferred from Table 2, persistent losses in large markets, sudden profit shifts without people/assets movement, data inconsistencies, or misalignment with Master/Local Files (OECD (2017) CbCR Handbook; OECD (May 2025) Common errors).

How does alignment with Master File and Local Files reduce CbCR risk?

Alignment helps reconcile “where profits are reported” (CbCR) with “where value is created” (Master File) and “how transactions are priced” (Local Files), reducing the chance that CbCR outliers become audit hypotheses (OECD Action 13 (2015) ¶25).

Is CbCR becoming more important because of Pillar Two?

Yes—especially operationally. The Pillar Two Transitional CbCR Safe Harbour relies on a Qualified CbC Report (for PBT) and Qualified Financial Statements (for Simplified Covered Taxes), runs through fiscal years beginning on/before 31 Dec 2026, and includes transition rates of 15%/16%/17% (OECD (2022) Safe Harbours and Penalty Relief). This increases sensitivity to CbCR data quality, governance, and consistent variance explanations.

What is the CbCR revenue threshold and why does it matter for risk assessment?

Under the OECD standard, CbCR generally applies to groups with annual consolidated group revenue of at least €750 million (or a near equivalent amount in domestic currency) in the immediately preceding fiscal year (OECD Action 13 (2015)). Local implementations can differ—for example, the US Form 8975 threshold is $850 million for the preceding reporting period (IRS Form 8975 / Treas. Reg. §1.6038-4). If you’re in scope, you should assume CbCR will be used for automated risk scoring and plan governance, dashboards, and Table 3 narratives accordingly.

Sources

Stay updated with our newsletter

Get the latest transfer pricing insights, AI benchmarking tips, and industry updates delivered straight to your inbox.

Quick Answer: CbCR Risk Assessment

Key Takeaways

→CbCR is designed for high-level risk screening—expect automated analytics, not manual “reading” first.

→Unexplained outliers (low ETR + mobile activities, profit with few employees/assets, persistent losses in markets) drive audit selection.

→Table 3 is your primary tool to pre-empt misinterpretation—keep explanations brief, specific, and consistent with TP files.

→Data quality failures (entity lists, currency/FX, inconsistent Tables 1–2) can trigger correction requests and credibility issues.

What tax authorities can (and cannot) do with CbCR data

“Appropriate use” is the legal and practical boundary

What this means in day-to-day risk assessment

Even though authorities shouldn’t assess arm’s length pricing directly from CbCR, they can (and do):

Score and rank groups and jurisdictions for audit selection
Form risk hypotheses (e.g., profit concentration, mischaracterized limited-risk entities)
Launch targeted information requests (segmented P&Ls, intercompany agreements, DEMPE evidence, financing terms)
Cross-check CbCR signals against other data (statutory accounts, tax returns, customs/VAT, rulings/APAs), as described in the OECD risk assessment handbook (OECD (2017) CbCR Handbook).

What’s inside a CbC report (Tables 1–3) and why it drives analytics

If you want to manage cbcr risk assessment outcomes, start with what the dataset actually contains.

Table 1: the ratios come from these fields

Table 2: entity inventory + business activities

Table 3: your risk narrative lever

How tax authorities analyze CbCR data: a typical workflow

The OECD’s handbook and tax administration practice (including the OECD “common errors” note) point to a fairly consistent process (OECD (2017) CbCR Handbook; OECD (May 2025) Common errors).

Stage	What happens	Why it matters to you
1) Ingestion & schema validation	XML/schema checks; technical rejects or flags	Technical failures can delay filing acceptance and trigger follow-up
2) Data quality checks	Completeness, jurisdiction/entity consistency, currency logic, unusual placeholders	“Bad data” is itself a risk indicator and can undermine credibility
3) Automated scoring	Ratio dashboards, trend flags, peer comparisons where available	Most issue selection is driven here
4) Qualitative overlay	Review Table 2 activities + Table 3 explanations	Good Table 3 notes can de-escalate outliers
5) Corroboration	Compare against TP files, returns, accounts, customs/VAT, WHT	Misalignment drives enquiries
6) Case selection & audit planning	Pick jurisdictions/issues; draft questions; coordinate where needed	You’ll see targeted, ratio-led questionnaires

A common taxpayer mistake is assuming “nobody reads CbCR.” In reality, CbCR is often machine-scored first and read only when the score (or a specific ratio) crosses an internal threshold.

Core CbCR risk indicators (and how they’re computed)

Tax authorities generally compute indicators directly from Table 1. The OECD handbook describes these as risk indicators, not conclusions (OECD (2017) CbCR Handbook).

The most common ratios you should pre-compute

Use the same basic formulas a tax authority will use:

text

Profit per employee = Profit (Loss) before income tax / Number of employees
Profit per tangible assets = Profit (Loss) before income tax / Tangible assets (non-cash)

ETR (CbCR current-tax proxy) = Income tax accrued (current year) / Profit (Loss) before income tax
Cash-tax ratio (often reviewed alongside ETR) = Income tax paid (cash basis) / Profit (Loss) before income tax

Related-party revenue share = Related-party revenue / Total revenue
Profit margin = Profit (Loss) before income tax / Total revenue
Pre-tax return on equity = Profit (Loss) before income tax / (Stated capital + Accumulated earnings)

“Two ETRs” that often get mixed up

CbCR current-tax ETR (risk-screening ratio): Income Tax Accrued – Current Year / PBT. “Income Tax Accrued – Current Year” is current tax expense and “should not include deferred taxes or provisions for uncertain tax liabilities” (OECD Action 13 (2015), template instructions).
Pillar Two transitional safe harbour Simplified ETR: Simplified Covered Taxes (from Qualified Financial Statements) / PBT (from the Qualified CbC Report) (OECD (2022) Safe Harbours and Penalty Relief).

Indicator	Typical “why it flags risk”	Common legitimate explanations (should be in Table 3 or TP files)
Profit per employee	High profit with low headcount suggests profit concentration vs. substance	Automation, high-value intangibles with real DEMPE, central entrepreneur with controlled outsourcing
Profit per tangible assets	High return on tangibles suggests intangible-driven profit in low-tax locations	IP ownership + DEMPE, contract manufacturing vs. principal model, measurement differences for tangible assets
Low ETR (CbCR current-tax proxy)	Potential low-tax profit parking, incentives, mismatched tax bases	Tax holidays/patent box, loss utilization, tax credits, exempt income under local law, statutory rate differences, one-off current-year items that affect taxable profit vs accounting PBT (document what it is and why it recurs/doesn’t)
Tax paid materially below tax accrued (over time)	Potential cash-tax leakage, disputes, or timing patterns that merit follow-up	Loss carryforwards affecting cash tax, withholding tax mechanics, refunds/offsets, settled/unsettled disputes, payment timing differences (OECD (2017) CbCR Handbook)
High related-party revenue share	Signals hub entities, principal models, financing centers	Centralized procurement, centralized IP licensing, genuine service center with cost-plus
Persistent losses in market jurisdictions	Mismatch with “routine distributor/manufacturer” characterization	Start-up/exit, market disruption, one-off write-downs, deliberate market investment supported by comparables
Sudden year-over-year shifts	Profit movement without people/assets movement suggests restructuring or pricing change	Post-merger integration, transfer of intangibles, supply chain changes, exceptional items

Interpret ratios like an auditor (but document like a taxpayer)

Authorities tend to combine indicators. A low ETR alone may not be enough. A low ETR plus:

mobile activities (IP holding, intra-group financing, procurement hubs),
high related-party revenue,
and very high profit per employee,

is a classic “stacked” risk case in the OECD examples (OECD (2017) CbCR Handbook).

What triggers CbCR-based audit selection (the patterns that recur)

CbCR audit triggers are rarely a single number. They’re patterns that look inconsistent with a value chain story.

Trigger patterns seen most often

Profit clustering in low-tax jurisdictions with minimal employees/tangibles (profit/substance misalignment)
Low ETR jurisdictions that also show mobile income characteristics (royalties, financing, service hubs inferred via Table 2)
Large-market jurisdictions with persistent losses or very low margins inconsistent with “routine” profiles
Sudden shifts in profit, headcount, or tangible assets without a clear business event
High related-party revenue concentrations that appear inconsistent with local functions
Internal inconsistency across Tables 1 and 2 (missing entities, wrong jurisdictions) or obvious data anomalies (OECD (May 2025) Common errors)
Misalignment with Master File/Local Files (CbCR says profit is in A; Master File says DEMPE/value creation is in B) — often a driver of follow-up questions and targeted enquiries (OECD (2017) CbCR Handbook)

How to run a pre-filing CbCR risk assessment (a repeatable playbook)

Step 1: Validate data quality before you analyze ratios

The OECD’s 2025 note emphasizes that many administrations run automated validations and may request corrections (OECD (May 2025) Common errors). Build these checks into your close process:

Table 1 totals reconcile to your chosen source (consolidation/statutory/management) per your CbCR methodology
Single currency and consistent FX approach (document it)
Table 2 entity list completeness (entities, jurisdictions, permanent establishments where relevant)
Reasonableness checks (e.g., negative tangible assets, headcount missing in operating jurisdictions)

Step 2: Compute authority-style dashboards (by jurisdiction and trend)

At minimum, compute:

Profit per employee
Profit per tangible assets
ETR (accrued tax / PBT, with guardrails for losses/near-zero profits)
Related-party revenue share
Year-over-year deltas for PBT, revenue, employees, tangible assets

Then segment jurisdictions into:

Expected (within historical band)
Explainable outliers (need Table 3)
Structural mismatches (need TP file refresh or policy change)

Step 3: Write the “risk hypothesis” before the tax authority does

For each explainable outlier, draft:

what a tax authority might infer, and
the concise explanation + where support exists.

This becomes your Table 3 content and your internal “audit-ready” memo.

Decision Criteria

Use Table 3 when an outlier is predictable, recurring, and explainable (e.g., tax holiday, restructuring, start-up losses).

Escalate to TP policy review when the CbCR pattern contradicts your functional characterization (e.g., “limited-risk” entity with sustained losses).

Fix the data (don’t explain it) when the outlier is caused by currency, mapping, entity list errors, or inconsistent source systems.

Align documentation when CbCR, Master File, and Local Files tell different stories about where value is created and who controls key risks.

Using Table 3 strategically: what to include (and how to keep it defensible)

Table 3 is not a dumping ground. It is a short, structured explanation designed to prevent misinterpretation (OECD (2017) CbCR Handbook; OECD Action 13 (2015), CbCR template).

A Table 3 structure that works in practice

Include short bullets under clear headings:

Data sources & methodology
- Source used (consolidation vs statutory vs management)
- Currency and FX translation method (and exchange rate used)
- Treatment of dividends, equity-method income (if relevant to your approach)
Material one-offs by jurisdiction
- Restructuring charges, impairments, litigation settlements
- M&A integration costs or exceptional income items
ETR drivers (for the CbCR current-tax proxy)
- Tax holidays/incentives, loss utilization, tax credits, tax-exempt items under local law
- Any material difference between accounting PBT and taxable base that explains the current-year tax expense pattern
Business model explanations
- Principal vs. limited-risk model
- IP ownership/DEMPE location at a high level (without reproducing the Master File)

What to avoid

Overly legalistic arguments (CbCR is a high-level form)
Assertions that can’t be supported in TP documentation
New facts that contradict your Master File/Local Files

If Table 3 contains a “new story” that is not reflected in your Master File/Local Files, you may convert a ratio anomaly into a credibility problem.

Align CbCR with Master File / Local Files—and plan for Pillar Two overlap

CbCR is aggregated; Master File and Local Files are narrative + transactional. Authorities use CbCR to decide where to look, then use TP documentation to decide what to challenge.

Practical alignment checks

Does the Master File value chain (including DEMPE, key risks, and central functions) explain why profits sit where they sit?
Do Local Files support routine outcomes (e.g., cost-plus/service center, distributor margins) in jurisdictions that show significant revenue and employees?
Are restructuring events visible consistently across CbCR trends and documentation narratives?

Pillar Two makes CbCR data quality more sensitive

Transitional CbCR Safe Harbour (what matters operationally in 2025)

Timeline: applies to fiscal years beginning on or before 31 Dec 2026, but not including a fiscal year ending after 30 Jun 2028 (for calendar-year groups, this typically means FY 2024–2026) (OECD (2022) Safe Harbours and Penalty Relief).
Three tests: (1) de minimis, (2) Simplified ETR vs a transition rate, (3) routine profits (OECD (2022) Safe Harbours and Penalty Relief).
Transition rates (Simplified ETR test): 15% (FY beginning 2023/2024), 16% (FY beginning 2025), 17% (FY beginning 2026) (OECD (2022) Safe Harbours and Penalty Relief).
“Once out, always out”: if you don’t apply the transitional safe harbour for a jurisdiction in a year when you’re subject to the GloBE rules, you generally can’t use it for that jurisdiction in a later year (subject to limited exceptions) (OECD (2022) Safe Harbours and Penalty Relief).
Don’t mix ETRs: the safe harbour uses Simplified Covered Taxes from Qualified Financial Statements (not CbCR “tax accrued” alone) (OECD (2022) Safe Harbours and Penalty Relief).

Practical examples (with numbers): what gets flagged and how to respond

Example 1: “High profit / low substance / low ETR” hub (classic CbCR flag)

Facts (Table 1 extract):

Jurisdiction	Unrelated rev	Related rev	Total rev	PBT	Tax accrued	Employees	Tangible assets
Country H (holding/IP)	5	995	1,000	600	6	10	20
Country M (market)	1,500	50	1,550	40	10	1,000	300

What the authority computes (and why it spikes risk):

text

Country H profit per employee = 600 / 10 = 60.0
Country H profit per tangible assets = 600 / 20 = 30.0
Country H ETR (current-tax proxy) = 6 / 600 = 1.0%
Country H related-party revenue share = 995 / 1,000 = 99.5%

This combination (very high profit/substance ratios + very low ETR + heavy related-party revenue) is a textbook hypothesis generator under the OECD handbook approach (OECD (2017) CbCR Handbook).

Pre-filing response (what to do before you file):

Confirm whether Country H’s profit reflects:
- genuine DEMPE control and decision-making in Country H, or
- contractual ownership with DEMPE elsewhere (which will be challenged if misaligned).
Identify the precise current-tax ETR driver (e.g., incentive regime, loss utilization, tax credits, exempt income).

Table 3 response (what to say, briefly):

“Country H results reflect centralized IP licensing and group financing; headcount is low due to controlled outsourcing/central governance; key decision-makers are located in [jurisdiction].”
“Low current-tax ETR primarily reflects [tax holiday/patent box/tax credits] applicable to qualifying income; ‘Income Tax Accrued – Current Year’ reflects current-year tax expense under local rules.”
“CbCR prepared from [consolidation/statutory] data; FX method: [method].”

Example 2: Persistent losses in a large market distributor (routine-profile mismatch)

Facts (two-year trend):

Jurisdiction	Total rev (2024)	PBT (2024)	Tax accrued (2024)	Employees	Total rev (2025)	PBT (2025)
Country D (distribution)	900	-25	0	250	1,050	-30

Key signal:

text

2025 profit margin = -30 / 1,050 = -2.86%

Pre-filing decision: explainable vs. pricing issue

Explainable (document and disclose briefly): one-off restructuring costs, exceptional write-downs, extraordinary market disruption, start-up/exit phase.
Pricing issue (fix policy or true-up): if comparable routine distributors would earn a positive return over the cycle and there’s no credible basis for sustained losses.

Table 3 response (example):

“Country D losses reflect [inventory write-down / restructuring] of [amount] recorded locally in 2025; underlying operating margin before exceptional items is [x%]. Detailed support in Local File Country D, Section [x].”

Common pitfalls and the controls that reduce CbCR risk

Common Pitfalls to Avoid

1Explaining ratio outliers that are actually data problems (currency, mapping, entity list gaps) instead of fixing the underlying numbers.

2Leaving low ETR jurisdictions unexplained, especially when Table 2 shows mobile activities (IP holding, financing, central services).

3Allowing CbCR, Master File, and Local Files to drift into inconsistent narratives after reorganizations or TP policy changes.

4Underestimating Table 2 completeness—missing or misclassified entities can trigger correction requests and credibility issues.

5Treating Table 3 as an afterthought rather than a controlled variance explanation.

A simple control map (who should sign off on what)

Risk area	Control	Owner
Entity completeness (Table 2)	Legal entity inventory reconciliation; PE review	Tax + Legal
FX/currency consistency	Documented FX methodology; automated variance checks	Consolidation + Tax
Ratio outliers	Jurisdiction dashboard + explanation memo	TP team
Documentation alignment	Annual “CbCR ↔ Master ↔ Local” consistency review	TP lead
Filing readiness	Pre-submission XML/schema validation and peer review	Compliance

Hub: /blog/pillar-two-cbcr-guide (how CbCR and Pillar Two workflows interact)
Related guide: /blog/cbcr-preparation-guide (end-to-end filing process and data collection)
Documentation hub: /blog/transfer-pricing-documentation-guide (Master File/Local File governance)
Benchmarking: /blog/benchmarking-study-guide (how to support routine returns and loss positions)
Glossary: /glossary/country-by-country-report

FAQ: CbCR risk assessment

What is CbCR risk assessment?

Can tax authorities make transfer pricing adjustments based only on CbCR?

Under OECD “appropriate use,” they should not use CbCR as conclusive evidence or apply formulary allocation adjustments based on CbCR data (OECD Action 13 (2015) ¶59).

CbCR Risk Assessment: How Tax Authorities Analyze CbC Reports (2025)

TL;DR - Key Takeaways

Sources

Stay updated with our newsletter

CbCR Risk Assessment: How Tax Authorities Analyze CbC Reports (2025)

TL;DR - Key Takeaways

Quick Answer: CbCR Risk Assessment

Key Takeaways

What tax authorities can (and cannot) do with CbCR data

“Appropriate use” is the legal and practical boundary

What this means in day-to-day risk assessment

What’s inside a CbC report (Tables 1–3) and why it drives analytics

Table 1: the ratios come from these fields

Table 2: entity inventory + business activities

Table 3: your risk narrative lever

How tax authorities analyze CbCR data: a typical workflow

Core CbCR risk indicators (and how they’re computed)

The most common ratios you should pre-compute

Interpret ratios like an auditor (but document like a taxpayer)

What triggers CbCR-based audit selection (the patterns that recur)

Trigger patterns seen most often

How to run a pre-filing CbCR risk assessment (a repeatable playbook)

Step 1: Validate data quality before you analyze ratios

Step 2: Compute authority-style dashboards (by jurisdiction and trend)

Step 3: Write the “risk hypothesis” before the tax authority does

Decision Criteria

Using Table 3 strategically: what to include (and how to keep it defensible)

A Table 3 structure that works in practice

What to avoid

Align CbCR with Master File / Local Files—and plan for Pillar Two overlap

Practical alignment checks

Pillar Two makes CbCR data quality more sensitive

Practical examples (with numbers): what gets flagged and how to respond

Example 1: “High profit / low substance / low ETR” hub (classic CbCR flag)

Example 2: Persistent losses in a large market distributor (routine-profile mismatch)

Common pitfalls and the controls that reduce CbCR risk

Common Pitfalls to Avoid

A simple control map (who should sign off on what)

Related topics (next steps)

FAQ: CbCR risk assessment

What is CbCR risk assessment?

Can tax authorities make transfer pricing adjustments based only on CbCR?

What are the most common CbCR risk indicators?

How do tax authorities validate CbCR data quality?

How should we use Table 3 in the CbC report?

What typically triggers CbCR-based audit selection?

How does alignment with Master File and Local Files reduce CbCR risk?

Is CbCR becoming more important because of Pillar Two?

What is the CbCR revenue threshold and why does it matter for risk assessment?

Sources

Stay updated with our newsletter

Quick Answer: CbCR Risk Assessment

Key Takeaways

What tax authorities can (and cannot) do with CbCR data

“Appropriate use” is the legal and practical boundary

What this means in day-to-day risk assessment

What’s inside a CbC report (Tables 1–3) and why it drives analytics

Table 1: the ratios come from these fields

Table 2: entity inventory + business activities

Table 3: your risk narrative lever

How tax authorities analyze CbCR data: a typical workflow

Core CbCR risk indicators (and how they’re computed)

The most common ratios you should pre-compute

Interpret ratios like an auditor (but document like a taxpayer)

What triggers CbCR-based audit selection (the patterns that recur)

Trigger patterns seen most often

How to run a pre-filing CbCR risk assessment (a repeatable playbook)

Step 1: Validate data quality before you analyze ratios

Step 2: Compute authority-style dashboards (by jurisdiction and trend)

Step 3: Write the “risk hypothesis” before the tax authority does

Decision Criteria

Using Table 3 strategically: what to include (and how to keep it defensible)

A Table 3 structure that works in practice

What to avoid

Align CbCR with Master File / Local Files—and plan for Pillar Two overlap

Practical alignment checks

Pillar Two makes CbCR data quality more sensitive

Practical examples (with numbers): what gets flagged and how to respond

Example 1: “High profit / low substance / low ETR” hub (classic CbCR flag)

Example 2: Persistent losses in a large market distributor (routine-profile mismatch)